Schemas

Included indexes

index	description
`detection-rules*`	contains the latest snapshot of all rules, refreshed every 24h
`all-detection-rules*`	contains only new and changed rules over time
`rule-alerts`	contains rule alerts such as new fields or techniques detected

Schemas for all indexes

field	type	description
`rule.author`	`str`	source vendor for the rule
`rule.category`	`list[str]`	categorical breakdown of the rule
`rule.description`	`str`	information about the rule
`rule.id`	`str`	unique UUID from the original rule
`rule.license`	`str`	source license for the rule
`rule.link`	`str`	source link for the rule
`rule.logic`	`str`	detection logic for the rule
`rule.logic_hash`	`str`	hash of the detection logic
`rule.name`	`str`	name of the rule
`rule.ruleset`	`list[str]`	same as rule.category
`rule.sha`	`str`	hash of the rule (from git)
`rule.techniques`	`list[str]`	list of ATT&CK technique IDs
`rule.uuid`	`str`	same as rule.id
`status`	`str`	status of the rule (`new`, `updated`, `unchanged`) (to avoid double counting, it is always based on the previous day 24h window, which also rolls multiple single day changes into 1)
`updated_at`	`datetime`	timestamp of the last update (for `all-detection-rules` it is based on the git change time and for `detection-rules` this is the time it was retrieved)
`rule.false_positives`	`list[Optional[str]]`	list of false positive
`rule.fields`	`list[Optional[str]]`	unique list of fields from the detection logic
`rule.fields_normalized`	`list[Optional[str]]`	unique list of normalized fields from the detection logic
`rule.references`	`list[Optional[str]]`	references from the source rule

`rule.fields_normalized`

This field has the same values as rule.fields however, the values are normalized by:

switching from camelCase to snake_case
replacing _ with .
replacing junctions of camelCase words with .
lower cased

The purpose of this is to standardize comparisons across the disparate rule sets. This format is based on the Elastic ECS format.

Example event in elasticsearch

{
  "rule.techniques": [
    "T1543",
    "T1556"
  ],
  "rule.logic": "event.category:file and event.type:change and\n  (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and\n  process.executable:\n    (* and\n      not\n      (\n        /usr/libexec/packagekitd or\n        /usr/bin/vim or\n        /usr/libexec/xpcproxy or\n        /usr/bin/bsdtar or\n        /usr/local/bin/brew or\n        \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n      )\n    ) and\n  not file.path:\n         (\n           /tmp/snap.rootfs_*/pam_*.so or\n           /tmp/newroot/lib/*/pam_*.so or\n           /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n           /tmp/newroot/usr/lib64/security/pam_*.so\n         ) and\n  not process.name:\n         (\n           yum or dnf or rsync or platform-python or authconfig or rpm or pdkg or apk or dnf-automatic or btrfs or\n           dpkg or pam-auth-update or steam or platform-python3.6 or pam-config or microdnf or yum_install or yum-cron or\n           systemd or containerd or pacman\n         )\n",
  "rule.logic_hash": "1c31a5310f0b2617c31b24c996492633e413a7dddb4571b2d7900ee6605bf99c",
  "rule.fields": [
    "event.type",
    "process.executable",
    "process.name",
    "file.path",
    "event.category",
    "file.name"
  ],
  "rule.fields_normalized": [
    "event.category",
    "event.type",
    "file.name",
    "file.path",
    "process.executable",
    "process.name"
  ],
  "rule.references": [
    "https://github.com/zephrax/linux-pam-backdoor",
    "https://github.com/eurialo/pambd",
    "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
    "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html"
  ],
  "rule.false_positives": [
    "trusted system module updates or allowed pluggable authentication module (pam) daemon configuration changes."
  ],
  "rule.link": "https://github.com/elastic/detection-rules/blob/da8f3e48806300ea7384bad8bdf75a1d2750c5b2/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml",
  "status": "unchanged",
  "rule.sha": "da8f3e48806300ea7384bad8bdf75a1d2750c5b2",
  "rule.author": "elastic_siem",
  "rule.category": [
    "cross-platform"
  ],
  "rule.description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process\nor modifying the login configuration to allow unauthorized access or elevate privileges.\n",
  "rule.id": "93f47b6f-5728-4004-ba00-625083b3dcb0",
  "rule.license": "elastic license 2.0",
  "rule.name": "Modification of Standard Authentication Module or Configuration",
  "rule.ruleset": [
    "cross-platform"
  ],
  "rule.uuid": "93f47b6f-5728-4004-ba00-625083b3dcb0",
  "updated_at": "2024-06-22T23:11:34.444Z"
}

Additional fields for rule-alerts schema

The following additional fields are present within the rule-alerts index:

field	type	description
`new_terms`	`list[str]`	list of newly identified terms over the last 30 days
`new_terms_description`	`str`	description of the type of new terms

Example:

{
  "new_terms": [
    "entry.exists",
    "entry.trusted",
    "process.thread.ext.call.stack.final.user.module.code.signature"
  ],
  "new_terms_description": "new detection logic fields by author detected over last 30d"
}

The four types of new terms are:

new detection logic fields detected over last 30d
new detection logic fields by author detected over last 30d
new techniques detected over last 30d
new techniques by author detected over last 30d